SATANA Ransomware - How To Remove?

 

Another ransomware virus has been named after a fictional character from Marvel Comics. This time, Satana is selected as the villain to be honored: a half-demon, a daughter of Satan, groomed to be evil and cause chaos. SATANA virus can make any computer bow to it. It chose to surprise security researchers with the two-key encryption technique. Because this virus provides a certain contact (gricakova@techemail.com), the hometown of this virus can be located somewhere in Bosnia.

About SATANA Ransomware

SATANA virus is said to be formed according to other two threats: Petya and Mischa. After SATANA ransomware uses some precise techniques to enter computer systems, it will focus on another crucial task: personal files are on its radar. As we have mentioned, SATANA virus utilizes a powerful and equally frightening combination of RSA and AES ciphers. AES algorithm will be assigned to encrypt the selected data and create the decryption key. However, this generated code can itself be encrypted with RSA cipher. Of course, finding out the private key is an extremely laborious toil. Hackers behind attacks like SATANA virus are not fools: they know where important data should be placed.

The encrypted files will have some alterations. Unlike other ransomware Trojans, SATANA virus adds a prefix: gricakova@techemail.com instead of usually appended extensions. Furthermore, SATANA ransomware will throw hints for you to finally realize who’s in charge: a letter on startup, a pop-up once the encryption is over and a !satana!.txt file. The message of demands looks like this:

“You had bad luck. There was crypting of all your files in a FS bootkit virus
SATANA!
To decrypt you need send on this E-mail: banetnatia@mail.com your private code: {unique identification of the victim here} and pay on a Bitcoin Wallet: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T total 0,5 btc After that during 1 – 2 days the software will be sent to you – decryptor – and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program – decryptor – can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer!
E-mail: banetnatia@mail.com – this is our mail
CODE: {unique identification code of the victim here} this is code; you must send
BTC: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T here need to pay 0,5 bitcoins
How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press “ENTER” to
continue the normal download on your computer. Good luck! May God help you!
SATANA!“

How to Decrypt Files Encrypted by SATANA Ransomware?

The demanded ransom for your files is 0.5 BTC. In the next seven days after receiving this note, users have to pay the required sum of money. If not, all of the encrypted data will vanish. We have never recommended to actually pursue this task, given by hackers to their victims. Evidence suggests that sometimes after transferring the demanded sum, users still did not receive the decryption key. In some cases, the provided code was not functioning. Our best advice is to retrieve information from back-up storages since there is no specific recovery tool released yet. Until then, victims can try to employ other file recovery tools: PhotoRec, R-Studio or one of the tools from Kaspersky.

How is SATANA Ransomware Distributed?

Malicious JavaScripts, Payload Loaders can be infiltrated into seemingly innocent attachments that can be found in your email accounts. These spam letters encourage people to download the attachment it provides. Do not even pay attention to messages that are sent from unknown sources. Clean-out your email accounts regularly and make sure not to fall for any tricks. Furthermore, it some cases, attachments might lead users to an infected source that will transfer malicious codes into computer systems through Exploit Kit. If after reading this article you feel exposed to the SATANA virus, do not worry because we are here to recommend you some of the most efficient anti-virus tools. Spyhunter, Reimage or Hitman will act as your guardian-angels and eliminate SATANA ransomware without delays. We also provide you with a guide for manual removal. However, it is not as safe as our first suggestion. Manual removal of ransomware viruses is tricky and only experienced users can try to fix computers on their own.

How to recover SATANA Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before SATANA virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of SATANA Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to SATANA virus. You can check other tools here.


Step 3. Restore SATANA Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually SATANA virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover SATANA Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

       
 

About the author

 - Main Editor
I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
 
June 29, 2016 00:47, January 4, 2017 03:24
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *